Week 8 in Review – 2011

Week 8 in Review – 2011

Events Related

RSA Conference 2011
If you ignored the weather and the travel delays caused by having a Former US President and the Current President of the United States in town the conference was highly enjoyable this year.

More exciting than HBGary’s email, world’s #1 hacker expose or 5up3r $3kret.gov leak, it is time for the DEF CON Call for Papers to open!

Resources

Throwing Star LAN Tap – ossman.blogspot.com
It is a simple cross of CAT5 cable spliced together to permit in-line monitoring of Ethernet connections.

SQL Injection: bypassing addslashes() – securityreliks.securegossip.com
This is really simple. Many will try to nullify SQL injection using the php addslahes() function. However, this is easily bypassed using an invalid multi-byte character. Let me illustrate how this works.

Nmap mssql scripts feature boost – cqure.net
Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately.

Launching OWASP Defenders Community – michael-coates.blogspot.com
I’ve created the OWASP Defenders Community as the first step towards a vision of OWASP I outlined the other day.

The Open Pentest Bookmarks Collection – securityaegis.com
…is just that, a collection of handy bookmarks I initially collected that aid me in my day to day work or I find in the course of research.

Penetration Testing Execution Standard – pentest-standard.org
It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing.

Building the ultimate bad arse CUDA cracking server – secmaniac.comIf you followed my blog post about a year ago , me and another one of my friends Josh Kelley uilt a CUDA cracking server that consisted of an ASROCK overclocker motherboard and 4 GTX 295′s which was a nice accomplishment building it from scratch.

Pentest lab vulnerable servers application list – r00tsec.blogspot.com
In this post I’m going to present some useful resources to learn about penetration testing and where to use exploitation tools and techniques in a safe and legal environment.

Reversing Android – zonbi.org
These are just some useful links to tools and blogs on reversing Android applications and the Android platform. I haven’t had a chance to play with them as yet, but I’m hoping to spend some time on it a little later this evening.

OllyDbg 2.01 Alpha 2! – ollydbg.de
Our first post regarding OllyDbg can be found here. Now, the intermediate releaseOllyDbg version 2.01 alpha 2 has been released finally!

[Tool] String Encoder– securityreliks.securegossips.com
String Encoder is a useful tool when doing XSS and SQLI attacks that require filter bypass. The input to the tool takes whatever your string is, and then encodes it according to your desires and outputs it in an injectable format. Here are the current options.

vbSEO – From XSS to Reverse PHP Shell – exploit-db.com
XSS is not a big deal, or is it? On many occasions, I’ve seen this vulnerability being classified as useless, not serious, and being a low threat.

Ubertooth spectrum analyzer – ossman.blogspot.comI took a break from hardware and manufacturing concerns tonight and sat down to write some code. I probably should have worked on the USB bootloader, but instead I wrote a simple spectrum analysis function for the Ubertooth platform.

Exploit Research Megaprimer (over 300 Minutes) using Backtrack – backtrack-linux.orgAs promised, I have finally started the Exploit Research Megaprimer. I will be dealing with topics like buffer overflows, heap sprays, SEH, SafeSEH, DEP, ASLR etc. in this series and will take up examples from the real world to illustrate these concepts.

Harddrive Password Recovery – hackaday.com
These passwords are stored in a special area of the hard disk that also contains the firmware for the device.

OSINT: large email address list imports with Maltego – holisticinfosec.blogspot.com
Given the recent HBGary debacle, you’ll soon see where the following discussion may prove useful for discovery of relationships between entries in a large list of email addresses.

Brute Forcing Passwords pt. 2 – pauldotcom.com
In this post I hope to go beyond the basics and demonstrate some approaches I use to significantly increase the quality of my tests as well as my chances of success.

GOTO 10 – zonbi.org
So I’ve been spending a little time playing with OS X and trying my hand at reverse engineering some binaries.

Anti-debugging tricks revealed – corelan.be
I love cartoons, and I love reversing, so I decided to play a little bit with that binary (b300.exe) which was a lot of fun. Because some interesting anti-debugging tricks were implemented into the binary, I decided to make a short video about the reversing process.

Don’t get blinded by the Flash – blog.rapid7.com
Flash has become a de-facto standard for Web applications, yet most vulnerability management solutions don’t do a very good job verifying Flash content.

NIST boosts crypto with faster SHA-2 functions – thinq.co.uk
The National Institute of Standards and Technology, guardian of America’s cryptography standards, has announced a new extension to the SHA-2 hashing algorithm family that promises to boost performance on modern chips.

Oracle Database Firewall Security – petefinnigan.com
A firewall is not activity monitoring and as stated in the article most of the DAM product players support IDS/IPS and also audit trail facilities.

DSD tests Apple iOS for national security – zdnet.com.auJohn Sheridan, first assistant secretary of AGIMO, responded to questions from a Senate Estimates committee this week, informing senators that the DSD hadn’t yet certified Apple’s mobile operating system for use with private wireless networks that handle material of national security.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.